Security Intelligence blog: Making the Move to an All-HTTPS Network

Many website operators have wrestled with the decision to move all their web infrastructure to support HTTPS protocols. The upside is obvious: better protection and a more secure pathway between browser and server. However, it isn’t all that easy to make the switch. In this piece that I wrote for IBM’s Security Intelligence blog, I bring up the case study of The Guardian’s website and what they did to make the transition. It took them more than a year and a lot of careful planning before they could fully support HTTPS.

HPE Insights: 8 lessons about IoT security learned from the Mirai botnet

Botnets are a major threat, and require a combination of methods to defend against massive traffic volumes. Experts recommend a combination of steps to guard against attacks. You’ve probably seen your fill of Mirai-inspired headlines, but keep reading my article on HPE’s latest website. You’ll learn something essential to maintaining your overall IT security posture. I provide an overall timeline of events since last fall, show how Mirai was first detected, and what things you should do to protect your enterprise infrastructure. 

HPE Insights: 9 ways to make IoT devices more secure

Devices must be more secure if IoT is to reach its full potential. The good news is that security policies and procedures can protect enterprise infrastructure, harden IoT configurations, and make the network smarter and more defensible. Here is where to start, in an article that I recently wrote for a new HPE IT site, where I provide what the bottom-line impact will be for enterprise IT folks and digest information from various sources, including the latest reports from the Broadband Internet Technical Advisory Group (BITAG) and the Cloud Security Alliance.

Security Intelligence blog: Protecting your staff when in co-working spaces

The number of innovative co-working spaces continues to rise around the world, and this doesn’t even include coffee shops, libraries and numerous other public places that offer free Wi-Fi. It’s important to consider the security implications of what these itinerant workers are doing. IT managers are challenged to keep their networks and data secure while encouraging remote workers to be productive, whether they’re dialing in from the local WeWork or reviewing emails at McDonald’s.

Here are some practical security considerations from my latest blog post for IBM’s SecurityIntelligence. 

Network World review: Microsoft Windows Defender comes up short

Microsoft’s latest version of its anti-malware tool, Windows Defender, is a frustrating product to evaluate. Once you examine the product in more detail, you will see why we cannot recommend it for enterprise use. And that is the frustration of this product: Microsoft is trying to do the right thing and offers a tempting feast, but ultimately offers an incomplete meal that is tough to digest. It is hard to track, hard to configure, hard to remove and hard to manage in a typical enterprise environment.

It might be all the antivirus that a home user needs, but when it comes to the business world, you are better off with something else.

You can read the full review in Network World here.

How women were one of the first computers

Back in the 1940s and 1950s, computers were people, not machines. And one group of these human computers worked at a NASA research lab in southern Virginia. An upcoming movie, Hidden Figures, focuses on how three of these human computers helped with John Glenn’s historic first US orbital flight in 1962. As you probably know, Glenn died earlier this week at the ripe old age of 95.

I haven’t yet seen the movie — it will be out in a few weeks. But the underlying story is terrific. The three human computers turn out to be three black women mathematicians, including Katherine Johnson (shown above) who recently received the Congressional Freedom Medal.

One of the interesting historical notes was Glenn insisted that Johnson check the electronic computer’s calculations of his orbit, to make sure they were accurate. This was back when computers filled rooms and were slower than the CPUs that are found in the average smartphone nowadays.

Johnson continued to work at NASA until 1986 combining her math talent with electronic computer skills. Her calculations proved critical to the success of the Apollo Moon landing program and the start of the Space Shuttle program, according to this NASA writeup.

There are a lot more video interviews with both the actresses Octavia Spencer, Taraji Henson (who plays Johnson) and Janelle Monae (shown above) and the real people behind the story here at NextGov.

In addition to the movie, there is a book by Margot Lee Shetterly that just was published.Why did it take so long for this story to come out? Shetterly apparently learned about the achievements of these women computers from her father, who “casually mentioned it to her in an offhand comment,” according to Rudy Horne, a math professor at Morehouse College and a consultant to the movie production. Horne got involved because his college was used as a film location (the college campus is used to simulate the NASA Langley campus in southern Virginia where the story takes place), and the director wanted a real math professor to check his calculations. One of the wonderful coincidences is that the current NASA administrator and Horne himself are both African Americans.

Horne was brought on early in the production, before the script was finalized, to ensure that the math checked out. I called him and asked about his role. “In the beginning of the film, the young Johnson is shown solving a series of equations on a blackboard. They originally showed her solving a functional analysis problem, which is more of a college level math course. I suggested a set of quadratic equations, which would be more appropriate for a younger student.” Horne made several other suggestions for the sets and props to show other math formulas. When I asked him what his favorite math-themed movie was, he said, “Good Will Hunting got the math right and had very believable scenes that showed how math professors interact. I am glad that was a consultant to this movie, and it is great if it will inspire other students to study math and science.” As an undergrad math major, me too.

Regaining Trust: What to do AFTER a Security Breach

In the past few years, it seems that large-scale data breaches have been occurring with depressing regularly. While it’s incredibly important to establish trustworthiness in any product, re-establishing trust after it has been violated is much harder to do. There is far less room for error when dealing with a customer base that already has reason for concern about an organization’s digital security.

untitledWhen breaches do occur, the best plan to regain trust is use webpages with plain language that contain plenty of specifics and constructive suggestions for issue resolution. In this article for UXPA Magazine, a professional journal for the user experience community, Danielle Cooley and I use the example of four recent breaches (Cici’s Pizza, Home Depot, Wendy’s Restaurants, and Omni Hotels) to see how each firm tried to regain its customers’ trust.

iBoss blog: Why Grammar Counts in Decoding Phished Emails

When it comes to crafting the “best” phishing email scam letter, over the years it has been assumed that the less polished a letter, the better. Having something that is poorly worded, or purposely uses bad syntax and grammar tends to eliminate the sharper-eyed readers who probably wouldn’t respond to the phish anyway. This way the phisher ensures that only the most gullible users will end up getting snared.

However, the tide may be turning, and finally grammarians might be gaining the upper hand. A new theory is that correct grammar gets better results these days. My blog post for iBoss has the details about how the French are leading the charge.

iBoss blog: How to Communicate to Your Customers After a Breach


There have been numerous breaches at major consumer retail companies over the past year. Most of these are followed with some kind of  “apology letter,” laying out what customers can do to protect their credit and what information was stolen from the retailer’s databases. Sadly, there aren’t any shining examples from this collection of correspondence. And the cases that I’ll cite here are what to avoid rather than to mimic. But there are some important lessons to be learned, both from designing the best apology letters to improving IT practices post-breach.

You can read the article on the iBoss blog here.

Security Intelligence: Use a Malware Simulator to Better Defend Against Ransomware

If you are looking for ways to run a malware simulator to test ransomware and other forms of malware in your environment, but don’t want to deal with the actual materials to infect your systems, look no further than the Shinosec ShinoLocker suite. This is a malware simulator and target attacking suite for penetration testers and other researchers. I talk more about this innovative product in my post today for SecurityIntelligence blog.